Examples with OpenIdConnectTokenConfig org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig used on opensource projects

Example 1 with OpenIdConnectTokenConfig

use of org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig in project OpenAM by OpenRock.

the class SoapSTSInstanceConfigTest method createIncompleteInstanceConfig.

/*
    the incompleteSaml and incompleteOidc indicate that oidc or saml2 tokens should be specified in the issued token types,
    but no corresponding config should be specified.
     */
private SoapSTSInstanceConfig createIncompleteInstanceConfig(boolean withDeploymentConfig, boolean incompleteSaml, boolean incompleteOidc) throws UnsupportedEncodingException {
    SoapDeploymentConfig deploymentConfig = null;
    if (withDeploymentConfig) {
        deploymentConfig = SoapDeploymentConfig.builder().uriElement("whatever").amDeploymentUrl("whatever").authTargetMapping(AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "module", "foo").build()).serviceQName(new QName("namespace", "localpart")).portQName(new QName("namspace", "localpart")).wsdlLocation("webservice.wsdl").build();
    }
    SAML2Config saml2Config = null;
    if (!incompleteSaml) {
        saml2Config = buildSAML2Config(Collections.<String, String>emptyMap());
    }
    OpenIdConnectTokenConfig oidcConfig = null;
    if (!incompleteOidc) {
        oidcConfig = buildOIDCConfig(Collections.<String, String>emptyMap());
    }
    return SoapSTSInstanceConfig.builder().addIssueTokenType(TokenType.OPENIDCONNECT).addIssueTokenType(TokenType.SAML2).deploymentConfig(deploymentConfig).oidcIdTokenConfig(oidcConfig).saml2Config(saml2Config).build();
}

Example 2 with OpenIdConnectTokenConfig

use of org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig in project OpenAM by OpenRock.

the class SoapSTSInstanceConfigTest method createInstanceConfig.

private SoapSTSInstanceConfig createInstanceConfig(String uriElement, String amDeploymentUrl, boolean withKeystoreConfig, boolean withValidationConfig, boolean delegationValidatorsSpecified, boolean customDelegationHandler, boolean withSAML2Config, boolean withOIDCConfig, boolean withCTSTokenPersistence) throws UnsupportedEncodingException {
    AuthTargetMapping mapping = AuthTargetMapping.builder().addMapping(TokenType.USERNAME, "service", "ldap").build();
    SoapDeploymentConfig deploymentConfig = SoapDeploymentConfig.builder().portQName(AMSTSConstants.STANDARD_STS_PORT_QNAME).serviceQName(AMSTSConstants.STANDARD_STS_SERVICE_NAME).wsdlLocation("wsdl_loc").realm("realm").amDeploymentUrl(amDeploymentUrl).uriElement(uriElement).authTargetMapping(mapping).build();
    SoapSTSKeystoreConfig keystoreConfig = null;
    if (withKeystoreConfig) {
        keystoreConfig = SoapSTSKeystoreConfig.builder().keystoreFileName("stsstore.jks").keystorePassword("stsspass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).encryptionKeyAlias("mystskey").signatureKeyAlias("mystskey").encryptionKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).signatureKeyPassword("stskpass".getBytes(AMSTSConstants.UTF_8_CHARSET_ID)).build();
    }
    SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder();
    if (withValidationConfig) {
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.OPENAM, false);
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.USERNAME, true);
        builder.addSecurityPolicyTokenValidationConfiguration(TokenType.X509, true);
    }
    Map<String, String> attributeMap = new HashMap<>();
    attributeMap.put("mail", "email");
    attributeMap.put("uid", "id");
    SAML2Config saml2Config = null;
    if (withSAML2Config) {
        builder.addIssueTokenType(TokenType.SAML2);
        saml2Config = buildSAML2Config(attributeMap);
    }
    OpenIdConnectTokenConfig openIdConnectTokenConfig = null;
    if (withOIDCConfig) {
        builder.addIssueTokenType(TokenType.OPENIDCONNECT);
        openIdConnectTokenConfig = buildOIDCConfig(attributeMap);
    }
    boolean delegationRelationshipsSupported = customDelegationHandler || delegationValidatorsSpecified;
    if (delegationRelationshipsSupported) {
        SoapDelegationConfig.SoapDelegationConfigBuilder delegationConfigBuilder = SoapDelegationConfig.builder();
        if (delegationValidatorsSpecified) {
            delegationConfigBuilder.addValidatedDelegationTokenType(TokenType.USERNAME, true).addValidatedDelegationTokenType(TokenType.OPENAM, false);
        }
        if (customDelegationHandler) {
            delegationConfigBuilder.addCustomDelegationTokenHandler("com.org.TokenDelegationHandlerImpl");
        }
        builder.soapDelegationConfig(delegationConfigBuilder.build());
    }
    return builder.deploymentConfig(deploymentConfig).soapSTSKeystoreConfig(keystoreConfig).saml2Config(saml2Config).oidcIdTokenConfig(openIdConnectTokenConfig).delegationRelationshipsSupported(delegationRelationshipsSupported).persistIssuedTokensInCTS(withCTSTokenPersistence).build();
}

Example 3 with OpenIdConnectTokenConfig

use of org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method generate.

@Override
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
    final OpenIdConnectTokenConfig tokenConfig = stsInstanceState.getConfig().getOpenIdConnectTokenConfig();
    final long issueInstant = System.currentTimeMillis();
    final String subject = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
    STSOpenIdConnectToken openIdConnectToken = buildToken(subjectToken, tokenConfig, invocationState.getOpenIdConnectTokenGenerationState(), issueInstant / 1000, subject);
    final JwsAlgorithm jwsAlgorithm = tokenConfig.getSignatureAlgorithm();
    final JwsAlgorithmType jwsAlgorithmType = jwsAlgorithm.getAlgorithmType();
    String tokenString;
    if (JwsAlgorithmType.HMAC.equals(jwsAlgorithmType)) {
        final SignedJwt signedJwt = symmetricSign(openIdConnectToken, jwsAlgorithm, tokenConfig.getClientSecret());
        tokenString = signedJwt.build();
    } else if (JwsAlgorithmType.RSA.equals(jwsAlgorithmType)) {
        final SignedJwt signedJwt = asymmetricSign(openIdConnectToken, jwsAlgorithm, getKeyPair(stsInstanceState.getOpenIdConnectTokenPKIProvider(), tokenConfig.getSignatureKeyAlias(), tokenConfig.getSignatureKeyPassword()), determinePublicKeyReferenceType(tokenConfig));
        tokenString = signedJwt.build();
    } else {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Unknown JwsAlgorithmType: " + jwsAlgorithmType);
    }
    if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
        try {
            ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.OPENIDCONNECT, tokenString, subject, issueInstant, tokenConfig.getTokenLifetimeInSeconds());
        } catch (CTSTokenPersistenceException e) {
            throw new TokenCreationException(e.getCode(), e.getMessage(), e);
        }
    }
    return tokenString;
}

Example 4 with OpenIdConnectTokenConfig

use of org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testRSAOpenIdConnectTokenGeneration.

@Test
public void testRSAOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildRSAOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    OpenIdConnectTokenPKIProviderImpl tokenCryptoProvider = new OpenIdConnectTokenPKIProviderImpl(openIdConnectTokenConfig);
    when(mockSTSInstanceState.getOpenIdConnectTokenPKIProvider()).thenReturn(tokenCryptoProvider);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyRSASignature(signedJwt, openIdConnectTokenConfig));
}

Example 5 with OpenIdConnectTokenConfig

use of org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig in project OpenAM by OpenRock.

the class RestSTSInstanceConfig method marshalFromAttributeMap.

/*
    When we are marshaling back from a Map<String, Set<String>>, this Map contains all of the values, also those
    contributed by encapsulated complex objects. So the structure must be 'un-flattened', where the top-level map
    is passed to encapsulated complex-objects, so that they may re-constitute themselves, and then the top-level json entry
    key is set to point at these re-constituted complex objects.

    Not that the marshalToAttributeMap first calls toJson to obtain the map representation, albeit with hierarchical
    elements, which must be subsequently flattened. The 'flattening' performed by the marshalToAttributeMap must then
     be 'inverted' by this method, where all complex objects are re-constituted, using the state in the flattened map.

     */
public static RestSTSInstanceConfig marshalFromAttributeMap(Map<String, Set<String>> attributeMap) {
    DeploymentConfig deploymentConfig = DeploymentConfig.marshalFromAttributeMap(attributeMap);
    Map<String, Object> jsonAttributes = MapMarshallUtils.toJsonValueMap(attributeMap);
    jsonAttributes.remove(DEPLOYMENT_CONFIG);
    jsonAttributes.put(DEPLOYMENT_CONFIG, deploymentConfig.toJson());
    SAML2Config saml2Config = SAML2Config.marshalFromAttributeMap(attributeMap);
    if (saml2Config != null) {
        jsonAttributes.remove(SAML2_CONFIG);
        jsonAttributes.put(SAML2_CONFIG, saml2Config.toJson());
    }
    OpenIdConnectTokenConfig openIdConnectTokenConfig = OpenIdConnectTokenConfig.marshalFromAttributeMap(attributeMap);
    if (openIdConnectTokenConfig != null) {
        jsonAttributes.remove(OIDC_ID_TOKEN_CONFIG);
        jsonAttributes.put(OIDC_ID_TOKEN_CONFIG, openIdConnectTokenConfig.toJson());
    }
    /*
         The SUPPORTED_TOKEN_TRANSFORMS, CUSTOM_TOKEN_TRANSFORMS, CUSTOM_TOKEN_VALIDATORS, and CUSTOM_TOKEN_PROVIDERS
          are currently each in a String representation in the Set<String> map entry corresponding
         to their respective key. I need to marshal each back into a TokenTransformConfig instance, and then
         call toJson on each, and put them in a JsonValue wrapping a list.
         */
    ArrayList<JsonValue> jsonTranslationsList = new ArrayList<>();
    JsonValue jsonTranslations = new JsonValue(jsonTranslationsList);
    jsonAttributes.remove(SUPPORTED_TOKEN_TRANSFORMS);
    jsonAttributes.put(SUPPORTED_TOKEN_TRANSFORMS, jsonTranslations);
    Set<String> stringTokenTranslations = attributeMap.get(SUPPORTED_TOKEN_TRANSFORMS);
    for (String translation : stringTokenTranslations) {
        jsonTranslationsList.add(TokenTransformConfig.fromSMSString(translation).toJson());
    }
    ArrayList<JsonValue> jsonCustomTranslationsList = new ArrayList<>();
    JsonValue jsonCustomTranslations = new JsonValue(jsonCustomTranslationsList);
    jsonAttributes.remove(CUSTOM_TOKEN_TRANSFORMS);
    jsonAttributes.put(CUSTOM_TOKEN_TRANSFORMS, jsonCustomTranslations);
    Set<String> stringCustomTranslations = attributeMap.get(CUSTOM_TOKEN_TRANSFORMS);
    for (String translation : stringCustomTranslations) {
        jsonCustomTranslationsList.add(TokenTransformConfig.fromSMSString(translation).toJson());
    }
    ArrayList<JsonValue> jsonCustomValidatorsList = new ArrayList<>();
    JsonValue jsonCustomValidators = new JsonValue(jsonCustomValidatorsList);
    jsonAttributes.remove(CUSTOM_TOKEN_VALIDATORS);
    jsonAttributes.put(CUSTOM_TOKEN_VALIDATORS, jsonCustomValidators);
    Set<String> stringCustomValidators = attributeMap.get(CUSTOM_TOKEN_VALIDATORS);
    for (String validator : stringCustomValidators) {
        jsonCustomValidatorsList.add(CustomTokenOperation.fromSMSString(validator).toJson());
    }
    ArrayList<JsonValue> jsonCustomProvidersList = new ArrayList<>();
    JsonValue jsonCustomProviders = new JsonValue(jsonCustomProvidersList);
    jsonAttributes.remove(CUSTOM_TOKEN_PROVIDERS);
    jsonAttributes.put(CUSTOM_TOKEN_PROVIDERS, jsonCustomProviders);
    Set<String> stringCustomProviders = attributeMap.get(CUSTOM_TOKEN_PROVIDERS);
    for (String provider : stringCustomProviders) {
        jsonCustomProvidersList.add(CustomTokenOperation.fromSMSString(provider).toJson());
    }
    return fromJson(new JsonValue(jsonAttributes));
}